1. Field of the Invention
The present invention generally relates to modeling operational risk for business management and, particularly, to an approach of assessing the impact of economic impact of risk and optimizing risk control countermeasures.
2. Background Description
Organizations are increasingly interested in robust systems for assessing and managing operational risk. The growing interest in operational risk management has been driven by a variety of factors, including the introduction of new regulations requiring businesses to quantify and manage operational risk, such as the New Basel Capital Accord, known as Basel II (see “The New Basel Capital Accord”, Bank for International Settlements, April 2003).
A prevailing definition of operational risk is given by the Basel Committee on Banking Supervision as “the risk of loss resulting from inadequate or failed internal processes, people or systems or from external events”. (See, “Working Paper on the Treatment of Operational Risk”, Basel Committee on Banking Supervision, September 2001.)
Prior art in operational risk modeling has been based on (a) statistical modeling of rare events and extreme value theory (see for example, see “Advances in Operational Risk”, Risk Books, 2003), and (b) Bayesian networks (see, for example, Operational Risk-Measurement and Modeling, Jack King, Wiley Publishers, 2001). Commercial software is also available based on these techniques (see for example, SAS OpRisk Management, published by SAS International, Heidelberg, Germany, and AgenaRisk 3.0, published by Agena Limited, London, United Kingdom). The drawback with the statistical approach is that very limited data is available on operational risk events. The drawback with the Bayesian network approach in the literature is that: (i) Inferencing problem in Bayesian networks is in general a computationally hard problem, i.e. NP-hard problem, which means that the computational effort grows exponentially as a function of input parameters such as risk events etc. (See D. M. Chickering, D. Geiger, D. Heckerman, “Learning Bayesian Networks is NP-hard”, Technical Report MSR-TR-94-17, Microsoft Research, 1994 & P. Dagum, M. Luby, “Approximating Probabilistic Inference in Bayesian Belief Networks is NP-hard”, Artificial Intelligence, 60 (1), pg 141-153, 1993). The implication of this is that this is not an efficient approach for operational risk modeling. By “efficient”, we mean that the computational effort is a polynomial function of input parameters for the model such as risk events, network topology etc. See Garey & Johnson, “Computers & Intractability: A Guide to the Theory of NP-Completeness” for a detailed description of NP-hard problems, polynomial algorithms etc. (ii) There is no systematic method known to construct these networks linked to business processes (e.g., of a financial institution). Moreover, these also suffer from the limitation in data on operational risk events, which will hamper the calibration and updating of these models.
The background described above indicates the need to develop a systematic methodology for operational risk assessment, based on the operational business processes in an enterprise and knowledge of its underlying physical and logical infrastructure, thus leading to a functional operational risk assessment and management system. Such a methodology can further be used as a basis to evaluate different countermeasures for operational risk control and mitigation. A general methodology for risk control consists of three steps: identification of risks, quantitative analysis of identified risks and the construction of a plan to control the risks, given a risk tolerance level. The first step involves estimating event's probability (frequency) and the event's potential size of loss (impact), which requires monitoring of operational risk events. The second step includes analyzing the correlations between various identified risk events and modeling them by a sound quantitative approach that will reveal the distribution of loss. It is at this step that different models enter. In the third step, the dominant risk events are identified and the cost-effectiveness of various risk countermeasures are calculated, on the basis of which an optimized risk control strategy is determined.